bpftrace

Display bpftrace version

$ bpftrace -V

$ sudo bpftrace -l

$ sudo bpftrace -e '[tracepoint:raw_syscalls:sys_enter { @[comm] = count(); ]}'

$ sudo bpftrace [path/to/file]

$ sudo bpftrace -e '[tracepoint:raw_syscalls:sys_enter /pid == 123/ { @[comm] = count(); ]}'

$ sudo bpftrace -d -e '[one_line_program]'

bpftrace [OPTIONS] FILENAME
bpftrace [OPTIONS] -e program code

bpftrace is a high-level tracing language and runtime for Linux based on BPF. It supports static and dynamic tracing for both the kernel and user-space.

When FILENAME is "-", read from stdin.

List all probes with "sleep" in their name

  # bpftrace -l *sleep*

Trace processes calling sleep

  # bpftrace -e kprobe:do_nanosleep { printf("%d sleeping\n", pid); }

Trace processes calling sleep while spawning sleep 5 as a child process

  # bpftrace -e kprobe:do_nanosleep { printf("%d sleeping\n", pid); } -c sleep 5

x86_64, arm64 and s390x

Output format

-B MODE, Set the buffer mode for stdout. Valid values are

none No buffering. Each I/O is written as soon as possible
line Data is written on the first newline or when the buffer is full. This is the default mode.
full Data is written once the buffer is full.

-f FORMAT, Set the output format. Valid values are

json
text

-o FILENAME

Write bpftrace tracing output to FILENAME instead of stdout. This doesn’t include child process (-c option) output. Errors are still written to stderr.

--no-warnings

Suppress all warning messages created by bpftrace.

Tracing

-e PROGRAM

Execute PROGRAM instead of reading the program from a file

-I DIR

Add the directory DIR to the search path for C headers. This option can be used multiple times.

--include FILENAME

Add FILENAME as an include for the pre-processor. This is equal to adding #include FILENAME to the start bpftrace program. This option can be used multiple times.

-l [SEARCH]

List all probes that match the SEARCH pattern. If the pattern is omitted all probes will be listed. This pattern supports wildcards in the same way that probes do. E.g. -l kprobe:*file* to list all kprobes with file in the name. For more details see the LISTING PROBES section.

--unsafe

Some calls, like system, are marked as unsafe as they can have dangerous side effects (system("rm -rf")) and are disabled by default. This flag allows their use.

-k

Errors from bpf-helpers(7) are silently ignored by default which can lead to strange results. This flag enables the detection of errors (except for errors from probe_read_*). When errors occurs bpftrace will log an error containing the source location and the error code:

stdin:48-57: WARNING: Failed to probe_read_user_str: Bad address (-14)
u:lib.so:"fn(char const*)" { printf("arg0:%s\n", str(arg0));}
                                                 ~~~~~~~~~

-kk

Same as -k but also includes the errors from probe_read_* helpers.

Process management

-p PID

Attach to the process with PID. If the process terminates, bpftrace will also terminate. When using USDT probes they will be attached to only this process.

-c COMMAND

Run COMMAND as a child process. When the child terminates bpftrace stops as well, as if exit() has been called. If bpftrace terminates before the child process does the child process will be terminated with a SIGTERM. If used, USDT probes these will only be attached to the child process. To avoid a race condition when using USDTs the child is stopped after execve using ptrace(2) and continued when all USDT probes are attached.
The child PID is available to programs as the cpid builtin.
The child process runs with the same privileges as bpftrace itself (usually root).

--usdt-file-activation

activate usdt semaphores based on file path

Miscellaneous

--info

Print detailed information about features supported by the kernel and the bpftrace build.

-h, --help

Print the help summary

-V, --version

Print bpftrace version information

-v

verbose messages

-d

debug mode

-dd

verbose debug mode

Some behavior can only be controlled through environment variables. This section lists all those variables.

BPFTRACE_STRLEN

Default: 64

Number of bytes allocated on the BPF stack for the string returned by str().

Make this larger if you wish to read bigger strings with str().

Beware that the BPF stack is small (512 bytes).

Support for even larger strings is [being discussed]( <https://github.com/iovisor/bpftrace/issues/305>).

BPFTRACE_NO_CPP_DEMANGLE

Default: 0

C++ symbol demangling in user space stack traces is enabled by default.

This feature can be turned off by setting the value of this environment variable to 1.

BPFTRACE_MAP_KEYS_MAX

Default: 4096

This is the maximum number of keys that can be stored in a map. Increasing the value will consume more memory and increase startup times. There are some cases where you will want to: for example, sampling stack traces, recording timestamps for each page, etc.

BPFTRACE_MAX_PROBES

Default: 512

This is the maximum number of probes that bpftrace can attach to. Increasing the value will consume more memory, increase startup times and can incur high performance overhead or even freeze or crash the system.

BPFTRACE_CACHE_USER_SYMBOLS

Default: 0 if ASLR is enabled on system and -c option is not given; otherwise 1

By default, bpftrace caches the results of symbols resolutions only when ASLR (Address Space Layout Randomization) is disabled. This is because the symbol addresses change with each execution with ASLR. However, disabling caching may incur some performance penalty. Set this env variable to 1 to force bpftrace to cache.

BPFTRACE_VMLINUX

Default: None

This specifies the vmlinux path used for kernel symbol resolution when attaching kprobe to offset. If this value is not given, bpftrace searches vmlinux from pre defined locations. See src/attached_probe.cpp:find_vmlinux() for details.

BPFTRACE_BTF

Default: None

The path to a BTF file. By default, bpftrace searches several locations to find a BTF file. See src/btf.cpp for the details.

BPFTRACE_PERF_RB_PAGES

Default: 64

Number of pages to allocate per CPU for perf ring buffer. The value must be a power of 2.

If you’re getting a lot of dropped events bpftrace may not be processing events in the ring buffer fast enough. It may be useful to bump the value higher so more events can be queued up. The tradeoff is that bpftrace will use more memory.

Overview

The bpftrace (bt) language is inspired by the D language used by dtrace and uses the same program structure. Each script consists of an preamble and one or more action blocks.

preamble

actionblock1
actionblock2

Preprocessor and type definitions take place in the preamble:

#include <linux/socket.h>
#define RED "\033[31m"

struct S {
  int x;
}

Each action block consists of three parts:

probe[,probe]
/predicate/ {
  action
}

Probes

A probe specifies the event and event type to attach too.

Predicate

The predicate is optional condition that must be met for the action to be executed.

Action

Actions are the programs that run when an event fires (and the predicate is met). An action is a semicolon (;) separated list of statements and always enclosed by brackets {}

A basic script that traces the open(2) and openat(2) system calls can be written as follows:

BEGIN
{
        printf("Tracing open syscalls... Hit Ctrl-C to end.\n");
}

tracepoint:syscalls:sys_enter_open,
tracepoint:syscalls:sys_enter_openat
{
        printf("%-6d %-16s %s\n", pid, comm, str(args->filename));
}

This script has two action blocks and a total of 3 probes. The first action block uses the special BEGIN probe, which fires once during bpftrace startup. This probe is used to print a header, indicating that the tracing has started.

The second action block uses two probes, one for open and one for openat, and defines an action that prints the file being open ed as well as the pid and comm of the process that execute the syscall. See the PROBES section for details on the available probe types.

Identifiers

Identifiers must match the following regular expression: [_a-zA-Z][_a-zA-Z0-9]*

Comments

Both single line and multi line comments are supported.

// A single line comment
i:s:1 { // can also be used to comment inline
/*
 a multi line comment

*/
  print(/* inline comment block */ 1);
}

Data Types

The following fundamental integer types are provided by the language.

Floating-point

Floating-point numbers are not supported by BPF and therefore not by bpftrace.

Constants

Integers constants can be defined in the following formats:

·

decimal (base 10)

·

octal (base 8)

·

hexadecimal (base 16)

·

scientific (base 10)

Octal constants have to be prefixed with a 0, e.g. 0123. Hexadecimal constants start with either 0x or 0X, e.g. 0x10. Scientific are written in the <m>e<n> format which is a shorthand for m*10^n, e.g. $i = 2e3;. Note that scientific literals are integer only due to the lack of floating point support, 1e-3 is not valid.

To improve the readability of big literals a underscore _ can be used as field separator, e.g. 1_000_123_000.

Integer suffixes as found in the C language are parsed by bpftrace to ensure compatibility with C headers/definitions but they’re not used as size specifiers. 123UL, 123U and 123LL all result in the same integer type with a value of 123.

Character constants can be defined by enclosing the character in single quotes, e.g. $c = c;.

String constants can be defined by enclosing the character string in double quotes, e.g. $str = "Hello world";.

Characters and strings support the following escape sequences:

Type conversion

Integer and pointer types can be converted using explicit type conversion with an expression like:

$y = (uint32) $z;
$py = (int16 *) $pz;

Integer casts to a higher rank are sign extended. Conversion to a lower rank is done by zeroing leading bits.

Operators and Expressions

Arithmetic Operators

The following operators are available for integer arithmetic:

Logical Operators

Bitwise Operators

Relational Operators

The following relational operators are defined for integers and pointers.

The following relation operators are available for comparing strings.

Assignment Operators

The following assignment operators can be used on both map and scratch variables:

All these operators are syntactic sugar for combining assignment with the specified operator. @ -= 5 is equal to @ = @ - 5.

Increment and Decrement Operators

The increment (++) and decrement (--) operators can be used on integer and pointer variables to increment their value by one. They can only be used on variables and can either be applied as prefix or suffix. The difference is that the expression x++ returns the original value of x, before it got incremented while ++x returns the value of x post increment. E.g.

$x = 10;
$y = $x--; // y = 10; x = 9
$a = 10;
$b = --$a; // a = 9; b = 9

Note that maps will be implicitly declared and initialized to 0 if not already declared or defined. Scratch variables must be initialized before using these operators.

Variables and Maps

bpftrace knows two types of variables, scratch and map.

scratch variables are kept on the BPF stack and only exists during the execution of the action block and cannot be accessed outside of the program. Scratch variable names always start with a $, e.g. $myvar.

map variables use BPF maps. These exist for the lifetime of bpftrace itself and can be accessed from all action blocks and user-space. Map names always start with a @, e.g. @mymap.

All valid identifiers can be used as name.

The data type of a variable is automatically determined during first assignment and cannot be changed afterwards.

Associative Arrays

Associative arrays are a collection of elements indexed by a key, similar to the hash tables found in languages like C++ (std::map) and Python (dict). They’re a variant of map variables.

@name[key] = expression
@name[key1,key2] = expression

Just like with any variable the type is determined on first use and cannot be modified afterwards. This applies to both the key(s) and the value type.

The following snippet creates a map with key signature [int64, string[16]] and a value type of int64:

@[pid, comm]++

Variable scoping

Pointers

Pointers in bpftrace are similar to those found in C.

Tuples

bpftrace has support for immutable N-tuples (n > 1). A tuple is a sequence type (like an array) where, unlike an array, every element can have a different type.

Tuples are a comma separated list of expressions, enclosed in brackets, (1,2) Individual fields can be accessed with the . operator. Tuples are zero indexed like arrays are.

i:s:1 {
  $a = (1,2);
  $b = (3,4, $a);
  print($a);
  print($b);
  print($b.0);
}

Prints:

(1, 2)
(3, 4, (1, 2))
3

Arrays

bpftrace supports accessing one-dimensional arrays like those found in C.

Constructing arrays from scratch, like int a[] = {1,2,3} in C, is not supported. They can only be read into a variable from a pointer.

The [] operator is used to access elements.

struct MyStruct {
  int y[4];
}

kprobe:dummy {
  $s = (struct MyStruct *) arg0;
  print($s->y[0]);
}

Structs

C like structs are supported by bpftrace. Fields are accessed with the . operator. Fields of a pointer to a struct can be accessed with the -> operator.

Custom struct can be defined in the preamble

Constructing structs from scratch, like struct X var = {.f1 = 1} in C, is not supported. They can only be read into a variable from a pointer.

struct MyStruct {
  int a;
}

kprobe:dummy {
  $ptr = (struct MyStruct *) arg0;
  $st = *$ptr;
  print($st.a);
  print($ptr->a);
}

Conditionals

Conditional expressions are supported in the form of if/else statements and the ternary operator.

The ternary operator consists of three operands: a condition followed by a ?, the expression to execute when the condition is true followed by a : and the expression to execute if the condition is false.

condition ? ifTrue : ifFalse

Both the ifTrue and ifFalse expressions must be of the same type, mixing types is not allowed.

The ternary operator can be used as part of an assignment.

$a == 1 ? print("true") : print("false");
$b = $a > 0 ? $a : -1;

If/else statements, like the one in C, are supported.

if (condition) {
  ifblock
} else if (condition) {
  if2block
} else {
  elseblock
}

Loops

Since kernel 5.3 BPF supports loops as long as the verifier can prove they’re bounded and fit within the instruction limit.

In bpftrace loops are available through the while statement.

while (condition) {
  block;
}

Within a while-loop the following control flow statements can be used:

i:s:1 {
  $i = 0;
  while ($i <= 100) {
    printf("%d ", $i);
    if ($i > 5) {
      break;
    }
    $i++
  }
  printf("\n");
}

Loop unrolling is also supported with the unroll statement.

unroll(n) {
  block;
}

The compiler will evaluate the block n times and generate the BPF code for the block n times. As this happens at compile time n must be a constant greater than 0 (n > 0).

The following two probes compile into the same code:

i:s:1 {
  unroll(3) {
    print("Unrolled")
  }
}

i:s:1 {
  print("Unrolled")
  print("Unrolled")
  print("Unrolled")
}

While BPF in the kernel can do a lot there are still things that can only be done from user space, like the outputting (printing) of data. The way bpftrace handles this is by sending events from the BPF program which user-space will pick up some time in the future (usually in milliseconds). Operations that happen in the kernel are synchronous (sync) and those that are handled in user space are asynchronous (async)

The async behaviour can lead to some unexpected behavior as updates can happen before user space had time to process the event. One example is updating a map value in a tight loop:

BEGIN {
    @=0;
    unroll(10) {
      print(@);
      @++;
    }
    exit()
}

Maps are printed by reference not by value and as the value gets updated right after the print user-space will likely only see the final value once it processes the event:

@: 10
@: 10
@: 10
@: 10
@: 10
@: 10
@: 10
@: 10
@: 10
@: 10

Kernel and user pointers live in different address spaces which, depending on the CPU architecture, might overlap. Trying to read a pointer that is in the wrong address space results in a runtime error. This error is hidden by default but can be enabled with the -kk flag:

stdin:1:9-12: WARNING: Failed to probe_read_user: Bad address (-14)
BEGIN { @=*uptr(kaddr("do_poweroff")) }
        ~~~

bpftrace tries to automatically set the correct address space for a pointer based on the probe type, but might fail in cases where it is unclear. The address space can be changed with the kptr() and uptr() functions.

Builtins are special variables built into the language. Unlike the scratch and map variable they don’t need a $ or @ as prefix (except for the positional parameters).

Map functions are built-in functions who’s return value can only be assigned to maps. The data type associated with these functions are only for internal use and are not compatible with the (integer) operators.

Functions that are marked async are asynchronous which can lead to unexpected behavior, see the SYNC AND ASYNC section for more information.

avg

variants

·

avg(int64 n)

Calculate the running average of n between consecutive calls.

i:s:1 {
  @x++;
  @y = avg(@x);
  print(@x);
  print(@y);
}

Internally this keeps two values in the map: value count and running total. The average is computed in user-space when printing by dividing the total by the count.

clear

variants

·

clear(map m)

async

Clear all keys/values from map m.

i:ms:100 {
  @[rand % 10] = count();
}

i:s:10 {
  print(@);
  clear(@);
}

count

variants

·

count()

Count how often this function is called.

Using @=count() is conceptually similar to @++. The difference is that the count() function uses a map type optimized for this (PER_CPU), increasing performance. Due to this the map cannot be accessed as a regular integer.

i:ms:100 {
  @ = count();
}

i:s:10 {
  print(@);
  clear(@);
}

delete

variants

·

delete(mapkey k)

Delete a single key from a map. For a single value map this deletes the only element. For an associative-array the key to delete has to be specified.

k:dummy {
  @scalar = 1;
  @associative[1,2] = 1;
  delete(@scalar);
  delete(@associative[1,2]);

  delete(@associative); // error
}

hist

variants

·

hist(int64 n)

Create a log2 histogram of n.

kretprobe:vfs_read {
  @bytes = hist(retval);
}

Results in:

@:
[1M, 2M)               3 |                                                    |
[2M, 4M)               2 |                                                    |
[4M, 8M)               2 |                                                    |
[8M, 16M)              6 |                                                    |
[16M, 32M)            16 |                                                    |
[32M, 64M)            27 |                                                    |
[64M, 128M)           48 |@                                                   |
[128M, 256M)          98 |@@@                                                 |
[256M, 512M)         191 |@@@@@@                                              |
[512M, 1G)           394 |@@@@@@@@@@@@@                                       |
[1G, 2G)             820 |@@@@@@@@@@@@@@@@@@@@@@@@@@@                         |

lhist

variants

·

lhist(int64 n, int64 min, int64 max, int64 step)

Create a linear histogram of n. lhist creates M ((max - min) / step) buckets in the range [min,max) where each bucket is step in size. Values in the range (-inf, min) and (max, inf) get their get their own bucket too, bringing the total amount of buckets created to M+2.

i:ms:1 {
  @ = lhist(rand %10, 0, 10, 1);
}

i:s:5 {
  exit();
}

Prints:

@:
[0, 1)               306 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@         |
[1, 2)               284 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@            |
[2, 3)               294 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@          |
[3, 4)               318 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@       |
[4, 5)               311 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@        |
[5, 6)               362 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|
[6, 7)               336 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@    |
[7, 8)               326 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@      |
[8, 9)               328 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@     |
[9, 10)              318 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@       |

max

variants

·

max(int64 n)

Update the map with n if n is bigger than the current value held.

min

variants

·

min(int64 n)

Update the map with n if n is smaller than the current value held.

stats

variants

·

stats(int64 n)

stats combines the count, avg and sum calls into one.

kprobe:vfs_read {
  @bytes[comm] = stats(arg2);
}

@bytes[bash]: count 7, average 1, total 7
@bytes[sleep]: count 5, average 832, total 4160
@bytes[ls]: count 7, average 886, total 6208
@

sum

variants

·

sum(int64 n)

Calculate the sum of all n passed.

zero

variants

·

zero(map m)

async

Set all values for all keys to zero.

Functions that are marked async are asynchronous which can lead to unexpected behaviour, see the [sync and async] section for more information.

compile time functions are evaluated at compile time, a static value will be compiled into the program.

unsafe functions can have dangerous side effects and should be used with care, the --unsafe flag is required for use.

buf

variants

·

buf_t buf(void * data, [int64 length])

buf reads length amount of bytes from address data. The maximum value of length is limited to the BPFTRACE_STRLEN variable. For arrays the length is optional, it is automatically inferred from the signature.

buf is address space aware and will call the correct helper based on the address space associated with data.

The buf_t object returned by buf can safely be printed as a hex encoded string with the %r format specifier.

Bytes with values >=32 and <=126 are printed using their ASCII character, other bytes are printed in hex form (e.g. \x00).

i:s:1 {
  printf("%r\n", buf(kaddr("avenrun"), 8));
}

\x00\x03\x00\x00\x00\x00\x00\x00
\xc2\x02\x00\x00\x00\x00\x00\x00

cat

variants

·

void cat(string namefmt, [...args])

async

Dump the contents of the named file to stdout. cat supports the same format string and arguments that printf does. If the file cannot be opened or read an error is printed to stderr.

t:syscalls:sys_enter_execve {
  cat("/proc/%d/maps", pid);
}

55f683ebd000-55f683ec1000 r--p 00000000 08:01 1843399                    /usr/bin/ls
55f683ec1000-55f683ed6000 r-xp 00004000 08:01 1843399                    /usr/bin/ls
55f683ed6000-55f683edf000 r--p 00019000 08:01 1843399                    /usr/bin/ls
55f683edf000-55f683ee2000 rw-p 00021000 08:01 1843399                    /usr/bin/ls
55f683ee2000-55f683ee3000 rw-p 00000000 00:00 0

cgroupid

variants

·

uint64 cgroupid(const string path)

compile time

cgroupid retrieves the cgroupv2 ID of the cgroup available at path.

BEGIN {
  print(cgroupid("/sys/fs/cgroup/system.slice"));
}

exit

variants

·

void exit()

async

Terminate bpftrace, as if a SIGTERM was received. The END probe will still trigger (if specified) and maps will be printed.

join

variants

·

void join(char *arr[], [char * sep = ])

async

join joins all the string array arr with sep as separator into one string. This string will be printed to stdout directly, it cannot be used as string value.

The concatenation of the array members is done in BPF and the printing happens in userspace.

tracepoint:syscalls:sys_enter_execve {
  join(args->argv);
}

kaddr

variants

·

uint64 kaddr(const string name)

compile time

Get the address of the kernel symbol name.

The following script:

kptr

variants

·

T * kptr(T * ptr)

Marks ptr as a kernel address space pointer. See the address-spaces section for more information on address-spaces. The pointer type is left unchanged.

ksym

variants

·

ksym_t ksym(uint64 addr)

async

Retrieve the name of the function that contains address addr. The address to name mapping happens in user-space.

The ksym_t type can be printed with the %s format specifier.

kprobe:do_nanosleep
{
  printf("%s\n", ksym(reg("ip")));
}

Prints:

do_nanosleep

macaddr

variants

·

macaddr_t macaddr(char [6] mac)

Create a buffer that holds a macaddress as read from mac This buffer can be printed in the canonical string format using the %s format specifier.

kprobe:arp_create {
  printf("SRC %s, DST %s\n", macaddr(sarg0), macaddr(sarg1));
}

Prints:

SRC 18:C0:4D:08:2E:BB, DST 74:83:C2:7F:8C:FF

ntop

variants

·

inet_t ntop([int64 af, ] int addr)

·

inet_t ntop([int64 af, ] char addr[4])

·

inet_t ntop([int64 af, ] char addr[16])

ntop returns the string representation of an IPv4 or IPv6 address. ntop will infer the address type (IPv4 or IPv6) based on the addr type and size. If an integer or char[4] is given, ntop assumes IPv4, if a char[16] is given, ntop assumes IPv6. You can also pass the address type (e.g. AF_INET) explicitly as the first parameter.

override

variants

·

override(uint64 rc)

unsafe

Kernel 4.16

Helper bpf_override

Supported probes

·

kprobe

When using override the probed function will not be executed and instead rc will be returned.

k:__x64_sys_getuid
/comm == "id"/ {
  override(2<<21);
}

uid=4194304 gid=0(root) euid=0(root) groups=0(root)

This feature only works on kernels compiled with CONFIG_BPF_KPROBE_OVERRIDE and only works on functions tagged ALLOW_ERROR_INJECTION.

bpftrace does not test whether error injection is allowed for the probed function, instead if will fail to load the program into the kernel:

ioctl(PERF_EVENT_IOC_SET_BPF): Invalid argument
Error attaching probe: kprobe:vfs_read

reg

variants

·

reg(const string name)

Supported probes

·

kprobe

·

uprobe

Get the contents of the register identified by name. Valid names depend on the CPU architecture.

signal

variants

·

signal(const string sig)

·

signal(uint32 signum)

unsafe

Kernel 5.3

Helper bpf_send_signal

Probe types: k(ret)probe, u(ret)probe, USDT, profile

Send a signal to the process being traced. The signal can either be identified by name, e.g. SIGSTOP or by ID, e.g. 19 as found in kill -l.

kprobe:__x64_sys_execve
/comm == "bash"/ {
  signal(5);
}

$ ls
Trace/breakpoint trap (core dumped)

sizeof

variants

·

sizeof(TYPE)

·

sizeof(EXPRESSION)

compile time

Returns size of the argument in bytes. Similar to C/C++ sizeof operator. Note that the expression does not get evaluated.

str

variants

·

str(char * data [, uint32 length)

Helper probe_read_str, probe_read_{kernel,user}_str

str reads a NULL terminated (\0) string from data. The maximum string length is limited by the BPFTRACE_STR_LEN env variable, unless length is specified and shorter than the maximum. In case the string is longer than the specified length only length - 1 bytes are copied and a NULL byte is appended at the end.

When available (starting from kernel 5.5, see the --info flag) bpftrace will automatically use the kernel or user variant of probe_read_{kernel,user}_str based on the address space of data, see ADDRESS-SPACES for more information.

strftime

variants

·

strtime_t strftime(const string fmt, int64 timestamp_ns)

async

Format the nanoseconds since boot timestamp timestamp_ns according to the format specified by fmt. The time conversion and formatting happens in user space, therefore the timestr_t value returned can only be used for printing using the %s format specifier.

bpftrace uses the strftime(3) function for formatting time and supports the same format specifiers.

i:s:1 {
  printf("%s\n", strftime("%H:%M:%S", nsecs));
}

bpftrace also supports the following format string extensions:

strncmp

variants

·

int64 strncmp(char * s1, char * s2, int64 n)

strncmp compares up to n characters string s1 and string s2. If they’re equal 0 is returned, else a non-zero value is returned.

bpftrace doesn’t read past the length of the shortest string.

The use of the == and != operators is recommended over calling strncmp directly.

system

variants

·

void system(string namefmt [, ...args])

unsafe async

system lets bpftrace run the specified command (fork and exec) until it completes and print its stdout. The command is run with the same privileges as bpftrace and it blocks execution of the processing threads which can lead to missed events and delays processing of async events.

i:s:1 {
  time("%H:%M:%S: ");
  printf("%d\n", @++);
}
i:s:10 {
  system("/bin/sleep 10");
}
i:s:30 {
  exit();
}

Note how the async time and printf first print every second until the i:s:10 probe hits, then they print every 10 seconds due to bpftrace blocking on sleep.

Attaching 3 probes...
08:50:37: 0
08:50:38: 1
08:50:39: 2
08:50:40: 3
08:50:41: 4
08:50:42: 5
08:50:43: 6
08:50:44: 7
08:50:45: 8
08:50:46: 9
08:50:56: 10
08:50:56: 11
08:50:56: 12
08:50:56: 13
08:50:56: 14
08:50:56: 15
08:50:56: 16
08:50:56: 17
08:50:56: 18
08:50:56: 19

system supports the same format string and arguments that printf does.

t:syscalls:sys_enter_execve {
  system("/bin/grep %s /proc/%d/status", "vmswap", pid);
}

time

variants

·

void time(const string fmt)

async

Format the current wall time according to the format specifier fmt and print it to stdout. Unlike strftime() time() doesn’t send a timestamp from the probe, instead it is the time at which user-space processes the event.

bpftrace uses the strftime(3) function for formatting time and supports the same format specifiers.

uaddr

variants

·

T * uaddr(const string sym)

Supported probes

·

uprobes

·

uretprobes

·

USDT

Does not work with ASLR, see issue #75 <https://github.com/iovisor/bpftrace/issues/75>

The uaddr function returns the address of the specified symbol. This lookup happens during program compilation and cannot be used dynamically.

The default return type is uint64*. If the ELF object size matches a known integer size (1, 2, 4 or 8 bytes) the return type is modified to match the width (uint8*, uint16*, uint32* or uint64* resp.). As ELF does not contain type info the type is always assumed to be unsigned.

uprobe:/bin/bash:readline {
  printf("PS1: %s\n", str(*uaddr("ps1_prompt")));
}

uptr

variants

·

T * uptr(T * ptr)

Marks ptr as a user address space pointer. See the address-spaces section for more information on address-spaces. The pointer type is left unchanged.

usym

variants

·

usym_t usym(uint64 * addr)

async

Supported probes

·

uprobes

·

uretprobes

Equal to ksym but resolves user space symbols

uprobe:/bin/bash:readline
{
  printf("%s\n", usym(reg("ip")));
}

Prints:

readline

path

variants

·

char * path(struct path * path)

Kernel 5.10

Helper bpf_d_path

Return full path referenced by struct path pointer in argument.

This function can only be used by functions that are allowed to, these functions are contained in the btf_allowlist_d_path set in the kernel.

unwatch

variants

·

void unwatch(void * addr)

async

Removes a watchpoint

print

variants

·

void print(T val)

async

variants

·

void print(T val)

·

void print(@map)

·

void print(@map, uint64 top)

·

void print(@map, uint64 top, uint64 div)

print prints a the value, which can be a map or a scalar value, with the default formatting for the type.

i:ms:10 { @=hist(rand); }
i:s:1 {
  print(@);
  print(123);
  print("abc");
  exit();
}

Prints:

@:
[16M, 32M)             3 |@@@                                                 |
[32M, 64M)             2 |@@                                                  |
[64M, 128M)            1 |@                                                   |
[128M, 256M)           4 |@@@@                                                |
[256M, 512M)           3 |@@@                                                 |
[512M, 1G)            14 |@@@@@@@@@@@@@@                                      |
[1G, 2G)              22 |@@@@@@@@@@@@@@@@@@@@@@                              |
[2G, 4G)              51 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|

123
abc

Note that maps are printed by reference while scalar values are copied. This means that updating and printing maps in a fast loop will likely result in bogus map values as the map will be updated before userspace gets the time to dump and print it.

The printing of maps supports the optional top and div arguments. top limits the printing to the top N entries with the highest integer values

BEGIN {
  $i = 11;
  while($i) {
    @[$i] = --$i;
  }
  print(@, 2);
  clear(@);
  exit()
}

@[9]: 9
@[10]: 10

The div argument scales the values prior to printing them. Scaling values before storing them can result in rounding errors. Consider the following program:

k:f {
  @[func] += arg0/10;
}

With the following sequence as numbers for arg0: 134, 377, 111, 99. The total is 721 which rounds to 72 when scaled by 10 but the program would print 70 due to the rounding of individual values.

Changing the print call to print(@, 5, 2) will take the top 5 values and scale them by 2:

@[6]: 3
@[7]: 3
@[8]: 4
@[9]: 4
@[10]: 5

printf

variants

·

void printf(const string fmt, args...)

async

printf() formats and prints data. It behaves similar to printf() found in C and many other languages.

The format string has to be a constant, it cannot be modified at runtime. The formatting of the string happens in user space. Values are copied and passed by value.

bpftrace supports all the typical format specifiers like %llx and %hhu. The non-standard ones can be found in the table below:

Supported escape sequences

Colors are supported too, using standard terminal escape sequences:

print("\033[31mRed\t\033[33mYellow\033[0m\n")

bpftrace supports various probe types which allow the user to attach BPF programs to different types of events. Each probe starts with a provider (e.g. kprobe) followed by a colon (:) separated list of options. The amount of options and their meaning depend on the provider and are detailed below. The valid values for options can depend on the system or binary being traced, e.g. for uprobes it depends on the binary. Also see LISTING PROBES

It is possible to associate multiple probes with a single action as long as the action is valid for all specified probes. Multiple probes can be specified as a comma (,) separated list:

kprobe:tcp_reset,kprobe:tcp_v4_rcv {
  printf("Entered: %s\n", probe);
}

Wildcards are supported too:

kprobe:tcp_* {
  printf("Entered: %s\n", probe);
}

Both can be combined:

kprobe:tcp_reset,kprobe:*socket* {
  printf("Entered: %s\n", probe);
}

Most providers also support a short name which can be used instead of the full name, e.g. kprobe:f and k:f are identical.

BEGIN and END

These are special built-in events provided by the bpftrace runtime. BEGIN is triggered before all other probes are attached. END is triggered after all other probes are detached.

Note that specifying an END probe doesn’t override the printing of non-empty maps at exit. To prevent the printing all used maps need be cleared, which can be done in the END probe:

END {
    clear(@map1);
    clear(@map2);
}

hardware

variants

·

hardware:event_name:

·

hardware:event_name:count

shortname

·

h

The hardware probe attaches to pre-defined hardware events provided by the kernel.

They are implemented using performance monitoring counters (PMCs): hardware resources on the processor. There are about ten of these, and they are documented in the perf_event_open(2) man page. The event names are:

·

cpu-cycles or cycles

·

instructions

·

cache-references

·

cache-misses

·

branch-instructions or branches

·

branch-misses

·

bus-cycles

·

frontend-stalls

·

backend-stalls

·

ref-cycles

The count option specifies how many events must happen before the probe fires. If count is left unspecified a default value is used.

hardware:cache-misses:1e6 { @[pid] = count(); }

interval

variants

·

interval:us:count

·

interval:ms:count

·

interval:s:count

·

interval:hz:rate

shortnames

·

i

The interval probe fires at a fixed interval as specified by its time spec. Interval fire on one CPU at the time, unlike [profile] probes.

iterator

variants

·

iter:task

·

iter:task:pin

·

iter:task_file

·

iter:task_file:pin

shortnames

·

it

These are eBPF iterator probes, that allow iteration over kernel objects.

Iterator probe can’t be mixed with any other probe, not even other iterator.

Each iterator probe provides set of fields that could be accessed with ctx pointer. User can display set of available fields for iterator via -lv options as described below.

Examples:

# bpftrace -e iter:task { printf("%s:%d\n", ctx->task->comm, ctx->task->pid); }
Attaching 1 probe...
systemd:1
kthreadd:2
rcu_gp:3
rcu_par_gp:4
kworker/0:0H:6
mm_percpu_wq:8
...

# bpftrace -e iter:task_file { printf("%s:%d %d:%s\n", ctx->task->comm, ctx->task->pid, ctx->fd, path(ctx->file->f_path)); }
Attaching 1 probe...
systemd:1 1:/dev/null
systemd:1 2:/dev/null
systemd:1 3:/dev/kmsg
...
su:1622 1:/dev/pts/1
su:1622 2:/dev/pts/1
su:1622 3:/var/lib/sss/mc/passwd
...
bpftrace:1892 1:pipe:[35124]
bpftrace:1892 2:/dev/pts/1
bpftrace:1892 3:anon_inode:bpf-map
bpftrace:1892 4:anon_inode:bpf-map
bpftrace:1892 5:anon_inode:bpf_link
bpftrace:1892 6:anon_inode:bpf-prog
bpftrace:1892 7:anon_inode:bpf_iter

It’s possible to pin iterator with specifying optional probe :pin part, that defines the pin file. It can be specified as absolute path or relative to /sys/fs/bpf.

relative pin

# bpftrace -e iter:task:list { printf("%s:%d\n", ctx->task->comm, ctx->task->pid); }
Program pinned to /sys/fs/bpf/list

# cat /sys/fs/bpf/list
systemd:1
kthreadd:2
rcu_gp:3
rcu_par_gp:4
kworker/0:0H:6
mm_percpu_wq:8
rcu_tasks_kthre:9
...

Examples with absolute pin file:

absolute pin

# bpftrace -e 
iter:task_file:/sys/fs/bpf/files {
  printf("%s:%d %s\n", ctx->task->comm, ctx->task->pid, path(ctx->file->f_path));
}

Program pinned to /sys/fs/bpf/files

# cat /sys/fs/bpf/files
systemd:1 anon_inode:inotify
systemd:1 anon_inode:[timerfd]
...
systemd-journal:849 /dev/kmsg
systemd-journal:849 anon_inode:[eventpoll]
...
sssd:1146 /var/log/sssd/sssd.log
sssd:1146 anon_inode:[eventpoll]
...
NetworkManager:1155 anon_inode:[eventfd]
NetworkManager:1155 /var/lib/sss/mc/passwd (deleted)

kfunc and kretfunc

variants

·

kfunc:fn

·

kretfunc:fn

shortnames

·

f (kfunc)

·

fr (kretfunc)

requires (--info)

·

Kernel features:BTF

·

Probe types:kfunc

kfuncs attach to kernel function similar to kprobe and kretprobe. They make use of eBPF trampolines which allows kernel code to call into BPF programs with near zero overhead.

kfunc s make use of BTF type information to derive the type of function arguments at compile time. This removes the need for manual type casting and makes the code more resilient against small signature changes in the kernel. The function arguments are available in the args struct which can be inspected by doing verbose listing (see LISTING PROBES). These arguments are also available in the return probe (kretfunc).

# bpftrace -lv kfunc:tcp_reset
kfunc:tcp_reset
    struct sock * sk
    struct sk_buff * skb

kfunc:x86_pmu_stop {
  printf("pmu %s stop\n", str(args->event->pmu->name));
}

kretfunc:fget {
  printf("fd %d name %s\n", args->fd, str(retval->f_path.dentry->d_name.name));
}

fd 3 name ld.so.cache
fd 3 name libselinux.so.1
fd 3 name libselinux.so.1
...

kprobe and kretprobe

variants

·

kprobe:fn

·

kprobe:fn+offset

·

kretprobe:fn

shortnames

·

k

·

kr

kprobe s allow for dynamic instrumentation of kernel functions. Each time the specified kernel function is executed the attached BPF programs are ran.

kprobe:tcp_reset {
  @tcp_resets = count()
}

Function arguments are available through the argX and sargX builtins, for register args and stack args respectively. Whether arguments passed on stack or in a register depends on the architecture and the number or arguments in used, e.g. on x86_64 the first non-floating point 6 arguments are passed in registers, all following arguments are passed on the stack. Note that floating point arguments are typically passed in special registers which don’t count as argX arguments which can cause confusion. Consider a function with the following signature:

void func(int a, double d, int x)

Due to d being a floating point x is accessed through arg1 where one might expect arg2.

bpftrace does not detect the function signature so it is not aware of the argument count or their type. It is up to the user to perform Type conversion when needed, e.g.

kprobe:tcp_connect
{
  $sk = ((struct sock *) arg0);
  ...
}

kprobe s are not limited to function entry, they can be attached to any instruction in a function by specifying an offset from the start of the function.

kretprobe s trigger on the return from a kernel function. Return probes do not have access to the function (input) arguments, only to the return value (through retval). A common pattern to work around this is by storing the arguments in a map on function entry and retrieving in the return probe:

kprobe:d_lookup
{
        $name = (struct qstr *)arg1;
        @fname[tid] = $name->name;
}

kretprobe:d_lookup
/@fname[tid]/
{
        printf("%-8d %-6d %-16s M %s\n", elapsed / 1e6, pid, comm,
            str(@fname[tid]));
}

profile

variants

·

profile:us:count

·

profile:ms:count

·

profile:s:count

·

profile:hz:rate

shortnames

·

p

Profile probes fire on each CPU on the specified interval.

software

variants

·

software:event:

·

software:event:count

shortnames

·

s

The software probe attaches to pre-defined software events provided by the kernel. Event details can be found in the perf_event_open(2) man page.

The event names are:

·

cpu-clock or cpu

·

task-clock

·

page-faults or faults

·

context-switches or cs

·

cpu-migrations

·

minor-faults

·

major-faults

·

alignment-faults

·

emulation-faults

·

dummy

·

bpf-output

tracepoint

variants

·

tracepoint:subsys:event

shortnames

·

t

Tracepoints are hooks into events in the kernel. Tracepoints are defined in the kernel source and compiled into the kernel binary which makes them a form of static tracing. Which means that unlike kprobe s new tracepoints cannot be added without modifying the kernel.

The advantage of tracepoints is that they generally provide a more stable interface than kprobe s do, they do not depend on the existence of a kernel function.

Tracepoint arguments are available in the args struct which can be inspected with verbose listing, see the LISTING PROBES section for more details.

tracepoint:syscalls:sys_enter_openat {
  printf("%s %s\n", comm, str(args->filename));
}

irqbalance /proc/interrupts
irqbalance /proc/stat
snmpd /proc/diskstats
snmpd /proc/stat
snmpd /proc/vmstat
snmpd /proc/net/dev
[...]

Additional information

·

<https://www.kernel.org/doc/html/latest/trace/tracepoints.html>

uprobe, uretprobe

variants

·

uprobe:binary:func

·

uprobe:binary:func+offset

·

uretprobe:binary:func

shortnames

·

u

·

ur

uprobe s or user-space probes are the user-space equivalent of kprobe s. The same limitations that apply kprobe and kretprobe also apply to uprobe s and uretprobe s.

When tracing libraries, it is sufficient to specify the library name instead of a full path. The path will be then automatically resolved using /etc/ld.so.cache:

# bpftrace -e uprobe:libc:malloc { printf("Allocated %d bytes\n", arg0); }
Allocated 4 bytes
...

If the traced binary has DWARF included, function arguments are available in the args struct which can be inspected with verbose listing, see the LISTING PROBES section for more details.

It is important to note that for uretprobe s to work the kernel runs a special helper on user-space function entry which overrides the return address on the stack. This can cause issues with languages that have their own runtime like Golang:

example.go

func myprint(s string) {
  fmt.Printf("Input: %s\n", s)
}

func main() {
  ss := []string{"a", "b", "c"}
  for _, s := range ss {
    go myprint(s)
  }
  time.Sleep(1*time.Second)
}

bpftrace

# bpftrace -e uretprobe:./test:main.myprint { @=count(); } -c ./test
runtime: unexpected return pc for main.myprint called from 0x7fffffffe000
stack: frame={sp:0xc00008cf60, fp:0xc00008cfd0} stack=[0xc00008c000,0xc00008d000)
fatal error: unknown caller pc

usdt

variants

·

usdt:binary:name

shortnames

·

U

watchpoint and asyncwatchpoint

variants

·

watchpoint:absolute_address:length:mode

·

watchpoint:function+argN:length:mode

shortnames

·

w

·

aw

These are memory watchpoints provided by the kernel. Whenever a memory address is written to (w), read from (r), or executed (x), the kernel can generate an event.

In the first form, an absolute address is monitored. If a pid (-p) or a command (-c) is provided, bpftrace takes the address as a userspace address and monitors the appropriate process. If not, bpftrace takes the address as a kernel space address.

In the second form, the address present in argN when function is entered is monitored. A pid or command must be provided for this form. If synchronous (watchpoint), a SIGSTOP is sent to the tracee upon function entry. The tracee will be SIGCONTed after the watchpoint is attached. This is to ensure events are not missed. If you want to avoid the SIGSTOP + SIGCONT use asyncwatchpoint.

Note that on most architectures you may not monitor for execution while monitoring read or write.

Examples

Print hit when a read from or write to 0x10000000 happens:

# bpftrace -e watchpoint:0x10000000:8:rw { printf("hit!\n"); exit(); } -c ./testprogs/watchpoint

Print the call stack every time the jiffies variable is updated:

# bpftrace -e "watchpoint:0x$(awk $3 == "jiffies" {print $1} /proc/kallsyms):8:w {
  @[kstack] = count();
}

i:s:1 { exit(); }"
......
@[
    do_timer+12
    tick_do_update_jiffies64.part.22+89
    tick_sched_do_timer+103
    tick_sched_timer+39
    __hrtimer_run_queues+256
    hrtimer_interrupt+256
    smp_apic_timer_interrupt+106
    apic_timer_interrupt+15
    cpuidle_enter_state+188
    cpuidle_enter+41
    do_idle+536
    cpu_startup_entry+25
    start_secondary+355
    secondary_startup_64+164
]: 319

"hit" and exit when the memory pointed to by arg1 of increment is written to.

# cat wpfunc.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

__attribute__((noinline))
void increment(__attribute__((unused)) int _, int *i)
{
  (*i)++;
}

int main()
{
  int *i = malloc(sizeof(int));
  while (1)
  {
    increment(0, i);
    (*i)++;
    usleep(1000);
  }
}

# bpftrace -e watchpoint:increment+arg1:4:w { printf("hit!\n"); exit() } -c ./wpfunc

Probe listing is the method to discover which probes are supported by the current system. Listing supports the same syntax as normal attachment does:

# bpftrace -l kprobe:*
# bpftrace -l t:syscalls:*openat*
# bpftrace -l kprobe:tcp*,trace
# bpftrace -l k:*socket*,tracepoint:syscalls:*tcp*

The verbose flag (-v) can be specified to inspect arguments (args) for providers that support it:

# bpftrace -l fr:tcp_reset,t:syscalls:sys_enter_openat -v
kretfunc:tcp_reset
    struct sock * sk
    struct sk_buff * skb
tracepoint:syscalls:sys_enter_openat
    int __syscall_nr
    int dfd
    const char * filename
    int flags
    umode_t mode
# bpftrace -l uprobe:/bin/bash:rl_set_prompt -v    # works only if /bin/bash has DWARF
uprobe:/bin/bash:rl_set_prompt
    const char *prompt